| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
This will help avoid a potential race condition in RubyGems
|
|
|
|
|
|
| |
This fixes my test-case reproduction of #6072. I’m pretty sure it’s
because the double-check was overriding the locally installed index
specs with specs fetched from the RubyGems API, causing Bundler to
conclude that the gems aren’t installed, even though they are.
|
|
|
|
| |
Fixes an issue on 2.5.0-dev where using local git overrides would cause an exception because the default bundler had been loaded
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[Source::Rubygems] Remove .gem if downloaded package is invalid
### What was the end-user problem that led to this PR?
The problem was the user could (once) have downloaded a `.gem` file that isn't actually a `.gem`, and that package would poison their cache.
Closes https://github.com/bundler/bundler/issues/5941.
### What was your diagnosis of the problem?
My diagnosis was we should remove the `.gem` right after downloading it if we can't open it.
### What is your fix for the problem, implemented in this PR?
My fix `rm_rf`'s the `.gem` on failure.
### Why did you choose this fix out of the possible options?
I chose this fix because it won't accidentally nuke existing cache entries for a user, but it should help prevent Bundler propagating an issue.
|
| | |
|
| | |
|
|/
|
|
| |
This avoids attempting to double-check in each source for gems that are _in the locally installed set of gems_, which could add hundreds or thousands of extra requests
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Introduce the notion of settings validation & default install to ./.bundle
Thanks so much for the contribution!
To make reviewing this PR a bit easier, please fill out answers to the following questions.
### What was the end-user problem that led to this PR?
The problem was...
### What was your diagnosis of the problem?
My diagnosis was...
### What is your fix for the problem, implemented in this PR?
My fix...
### Why did you choose this fix out of the possible options?
I chose this fix because...
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
r=segiddins
Compare sources using source's root
### What was the end-user problem that led to this PR?
Given a setup where:
1. A project's Gemfile makes use of another project's Gemfile and the `eval_gemfile` method to share the dependencies. Something like:
```ruby
# project_plugin's Gemfile
eval_gemfile(File.expand_path("../../main_project/Gemfile", __FILE__))
```
2. The main project includes a path gem in it that is nested in the main project:
```ruby
# main_project's Gemfile
gem "foo_gem", :path => "vendor/foo_gem"
```
3. A `bundle install` is followed by a `bundle install --deployment`, the second of which triggers a comparison of the `lockfile.sources` and the `Bundler.definition`
A error will occur when comparing the specs, saying the the "foo_gem" source has been deleted:
```console
$ bundle install
...
$ bundle install --deployment
You are trying to install in deployment mode after changing
your Gemfile. Run `bundle install` elsewhere and add the
updated Gemfile.lock to version control.
the gemspecs for path gems changed
You have deleted from the Gemfile:
* source: source at `../main_project/vendor/foo_gem`
```
### What was your diagnosis of the problem?
(extracted from the commit message)
When doing the following:
expand(other.original_path)
inside a `Bundler::Source::Path` instance, the `@root_path` from the instance that is having `eq?` called on it, the the `other` instance's `root_path`. This, in obscure cases, can cause a bug when you are doing an nested eval_gemfile or other calls when comparing the lockfile's locked path sources to the `Bundler.definition`'s path sources.
### What is your fix for the problem, implemented in this PR?
Use a new public method, `Bundler::Source::Path#expanded_original_path`, in the `eq?` method instead of using's the instance's `#expand` method.
### Why did you choose this fix out of the possible options?
(extracted from the commit message)
Creating the `expanded_original_path` method allows a public interface to be made available (and doesn't mess with any exiting functionality) that allows comparing the source path of one `Source::Path`'s `expand_path` to another, where each uses their own `root_path` to resolve their full path, instead of sharing the base one and causing edge case bugs
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When doing the following:
expand(other.original_path)
inside a Bundler::Source::Path instance, the `@root_path` from the
instance that is having eql? called on it, the other instance's
root_path. This, in obscure cases, can cause a bug when you are doing an
nested eval_gemfile or other calls when comparing the lockfile's locked
path sources to the Bundler.definition's path sources.
Creating the expanded_original_path method allows a public interface to
be made available (and doesn't mess with any exiting functionality) that
allows comparing the source path of one Source::Path's expand_path to
another, where each uses their own root_path to resolve their full path,
instead of sharing the base one and causing edge case bugs
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[2.0] Suppress `Using …` messages during installation when a version has not changed
### What was the end-user problem that led to this PR?
The problem was that `bundle install` output can get very verbose, even when Bundler is not doing anything.
See https://github.com/bundler/bundler-features/issues/33.
### Was was your diagnosis of the problem?
My diagnosis was that bundler was printing a bunch of `Using name (version)` messages, even when we were already using that gem at the same version.
### What is your fix for the problem, implemented in this PR?
My fix is to introduce a feature flag (enabled by default on 2.0), that will only print those extra `Using` messages when `--verbose` is passed, and will continue to print them when there was an old version we can tell users about. Note that we still print a message when installing a gem for the first time.
### Why did you choose this fix out of the possible options?
I chose this fix because it was essentially what had been done in https://github.com/bundler/bundler/pull/3872, and allows for easy feature-flagging.
|
| | | |
|
| | | |
|
|/ / |
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[2.0] Remove RubyGems Aggregate & support transitive source pinning
### What was the end-user problem that led to this PR?
The problem was that the resolver could resolve specs from _any_ of the sources specified in the Gemfile, even if that source had nothing to do with the spec in question. This was such a large security vulnerability that, when discovered, it warranted a CVE and its own minor release of Bundler.
Closes #3671.
Closes #3696.
Closes #4059.
### Was was your diagnosis of the problem?
My diagnosis was that we needed to get rid of the notion of a `rubygems aggregate` and enforce that specs could only come either from the source they were declared to come from (the top-level source if declared at the top-level of the Gemfile, else a scoped source), or a source that it transitively "inherited" from the gems that required it.
### What is your fix for the problem, implemented in this PR?
My fix is to disable multiple top-level sources in the Gemfile, remove the RubyGems aggregate, and filter the sources gems could come from as described above.
### Why did you choose this fix out of the possible options?
I chose this fix because it allows doing the filtering in a reasonably performant manner, and refactors the way we handle sources to abstract some of the grossness in such a way that the machinations to make sure that all of the necessary gem info is downloaded is encapsulated into a single method, driven from the definition, rather than being specific to rubygems sources.
See https://github.com/bundler/bundler/pull/4714 and https://github.com/bundler/bundler/pull/4930 for the prior implementation.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Run `rubocop -a --only Style/PercentLiteralDelimiters` and `rubocop --auto-gen-config`.
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[Git] Allow specifying non-branch symbolic refs
> The intention here is to allow installing a gem from git using a
> ref of the form "refs/zuul/" (which are used by the zuul
> continuous-integration system). There are likely other use cases for
> arbitrary refs.
Closes #4845
|
| | |
|
|/ |
|